Zero-day exploits: Separating fact from fiction

You may be surprised by the number and availability of zero-days, but that's no reason to let an attack catch you unprepared

InfoWorld|Dec 10, 2013

Zero-day exploits strike fear into the heart of computer security pros. An active attack, unrecognized by antimalware software and without a ready vendor patch, is harder to deal with than your run-of-the mill security bug. You can't just run a scanner, slap on a patch, high-five your friends, and call it a day.

With zero-days, you wonder what mitigation you can apply while waiting for the vendor to release a patch. Worse, some mitigations do more damage than the exploit itself. That's why most customers don't do anything. They remain unprotected until the vendor pushes the patch.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

Fortunately, while zero-days get lots of press, they aren't a huge factor. The vast majority of successful attacks and exploits arrive after the vendor has released the patch. In most cases, zero-day attacks are fairly targeted, so even the exploits "in the wild" don't spread worldwide. For example, the Stuxnet worm contained a few zero-days, but it was meant to take down specific targets, even if thousands of copies later leaked out all across the globe.

Zero-days may occur rarely, but they're high-risk, so you need to have a plan for them. Just how frequent are zero-days, whether in the wild or not? Initially, based on reading I've done over the years, I thought the number would be quite low -- perhaps five to seven zero-days per year. But a recently released NSS Labs white paper convinced me that I've underestimated.

NSS Labs: More zeros than you think

Entitled "The Known Unknowns," the white paper analyzed data from two professional firms that offer zero-days to customers on a very expensive subscription basis. The author writes, "On any given day over the past 3 years, two vulnerability purchase programs alone gave their privileged subscribers early access to at least 58 vulnerabilities, on average, in Microsoft, Apple, Oracle or Adobe products."

Then NSS did a little more research and widened its net to more exploit vendors. In doing so, it determined that more than 100 zero-days were for sale this year alone. According to NSS Labs, the zero-days remained undisclosed to their vendors or the public for an average of 151 days. The paper continues: "NSS found subscriptions delivering 25 zero-day vulnerabilities per year can be had for $2.5 million." Not cheap!

But any nation-state can pony up that kind of money, and NSS Labs feels that some organized cyber criminals are readily capable of raising the needed funds. The paper closes with the warning, "These numbers are considered a minimum estimate of [zero-days], as it is unlikely that cybercriminals, brokers, or government agencies will ever share data about their operations."

Zero-day defenses

However you spin the numbers, the fact is you could easily be exposed to one or more zero-days in a given year. What can you do to defend yourself if you can't afford million-dollar subscription fees?

First, there are dozens of companies that offer products claiming to detect 100 percent of malware and exploits, including zero-days. Anytime you encounter that claim, run the other way as fast as possible. What they're saying simply isn't possible -- or isn't possible without a ton of false positives. (All you well-meaning vendors about to email me to say I'm wrong, that you can in fact detect 100 percent of all malware? Please don't waste the time and electronic bits -- please.)

Nonetheless, you can find solutions that help detect and/or defend against zero-days. If you're worried about the risk or have been targeted before, it can't hurt to test. Your best bet is to get a reference from a customer that successfully used the product.

But that's not all you should do. Have general mitigations ready to deploy. If you have an Active Directory network, consider using group policy to deploy those mitigations. Use them to disable affected services. Use network and host-based firewalls to limit malicious spread and damage.

Make sure you have a good incident response team and process in place. Make sure you have top-notch forensic investigators, at least on-call. Be prepared to shut down the affected network segment -- or perhaps even the entire network -- to stop the threat. Can that be done? Would you have senior management's support? Decide ahead of time when to involve senior management.

Most companies will never be hit by a zero-day attack. But that doesn't absolve you from adequately preparing for one.